Null-ptr-deref due to "sanitized pathwalk machinery (v4)"
From: Qian Cai
Date: Tue Mar 24 2020 - 17:06:09 EST
Reverted the series on the top of today's linux-next fixed boot crashes.
# git revert 609c56723133..e0e25e9bbed5 --no-edit [1]
[ 53.027443][ T3519] BUG: Kernel NULL pointer dereference on read at 0x00000000
[ 53.027480][ T3519] Faulting instruction address: 0xc0000000004dbfa4
[ 53.027498][ T3519] Oops: Kernel access of bad area, sig: 11 [#1]
[ 53.027521][ T3519] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV
[ 53.027538][ T3519] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x ahci libahci mdio libata tg3 libphy firmware_class dm_mirror dm_region_hash dm_log dm_mod
[ 53.027594][ T3519] CPU: 36 PID: 3519 Comm: polkitd Not tainted 5.6.0-rc7-next-20200324 #1
[ 53.027618][ T3519] NIP: c0000000004dbfa4 LR: c0000000004dc040 CTR: 0000000000000000
[ 53.027634][ T3519] REGS: c0002013879af810 TRAP: 0300 Not tainted (5.6.0-rc7-next-20200324)
[ 53.027668][ T3519] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24004422 XER: 20040000
[ 53.027708][ T3519] CFAR: c0000000004dc044 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0
[ 53.027708][ T3519] GPR00: c0000000004dc040 c0002013879afaa0 c00000000165a500 0000000000000000
[ 53.027708][ T3519] GPR04: c000000001511408 0000000000000000 c0002013879af834 0000000000000002
[ 53.027708][ T3519] GPR08: 0000000000000001 0000000000000000 0000000000000000 0000000000000001
[ 53.027708][ T3519] GPR12: 0000000000004000 c000001ffffe1e00 0000000000000000 0000000000000000
[ 53.027708][ T3519] GPR16: 0000000000000000 0000000000000001 0000000000000000 0000000000000000
[ 53.027708][ T3519] GPR20: c000200ea1eacf38 c000201c8102f043 2f2f2f2f2f2f2f2f 0000000000000003
[ 53.027708][ T3519] GPR24: 0000000000000000 c0002013879afbc8 fffffffffffff000 0000000000200000
[ 53.027708][ T3519] GPR28: ffffffffffffffff 61c8864680b583eb 0000000000000000 0000000000002e2e
[ 53.027931][ T3519] NIP [c0000000004dbfa4] link_path_walk+0x284/0x4c0
__d_entry_type at include/linux/dcache.h:389
(inlined by) d_can_lookup at include/linux/dcache.h:404
(inlined by) link_path_walk at fs/namei.c:2178
[ 53.027963][ T3519] LR [c0000000004dc040] link_path_walk+0x320/0x4c0
[ 53.027993][ T3519] Call Trace:
[ 53.028013][ T3519] [c0002013879afaa0] [c0000000004dc040] link_path_walk+0x320/0x4c0 (unreliable)
[ 53.028050][ T3519] [c0002013879afb60] [c0000000004dc334] path_lookupat+0x94/0x1b0
[ 53.028084][ T3519] [c0002013879afba0] [c0000000004ddf80] filename_lookup.part.55+0xa0/0x170
[ 53.028101][ T3519] [c0002013879afce0] [c0000000004ca748] vfs_statx+0xa8/0x190
[ 53.028117][ T3519] [c0002013879afd60] [c0000000004cacc0] __do_sys_newstat+0x40/0x90
[ 53.028145][ T3519] [c0002013879afe20] [c00000000000b378] system_call+0x5c/0x68
[ 53.028178][ T3519] Instruction dump:
[ 53.028197][ T3519] 3bdeffff e9390058 38800000 7f23cb78 7fde07b4 1d5e0030 7d295214 eaa90020
[ 53.028245][ T3519] 4bfffac5 2fa30000 409e00ac e9390008 <81290000> 55290256 7f89d800 409e0160
[ 53.028284][ T3519] ---[ end trace 0effae07d5cccfa0 ]â
[ 705.047353][ T4874] BUG: KASAN: invalid-access in link_path_walk+0x374/0x53c
__d_entry_type at include/linux/dcache.h:389
(inlined by) d_can_lookup at include/linux/dcache.h:404
(inlined by) link_path_walk at fs/namei.c:2178
[ 705.054422][ T4874] Read of size 4 at addr 0000000000000000 by task plymouthd/4874
[ 705.062003][ T4874]
[ 705.064213][ T4874] CPU: 16 PID: 4874 Comm: plymouthd Tainted: G L 5.6.0-rc7-next-20200324 #1
[ 705.074055][ T4874] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 705.084502][ T4874] Call trace:
[ 705.087663][ T4874] dump_backtrace+0x0/0x224
[ 705.092036][ T4874] show_stack+0x20/0x2c
[ 705.096063][ T4874] dump_stack+0xfc/0x184
[ 705.100178][ T4874] __kasan_report+0x178/0x238
[ 705.104725][ T4874] kasan_report+0x3c/0x58
[ 705.108925][ T4874] check_memory_region+0x98/0xa0
[ 705.113734][ T4874] __hwasan_load4_noabort+0x18/0x20
[ 705.118801][ T4874] link_path_walk+0x374/0x53c
[ 705.123350][ T4874] path_lookupat+0x78/0x1d4
[ 705.127723][ T4874] filename_lookup+0x80/0x124
[ 705.132270][ T4874] user_path_at_empty+0x54/0x68
[ 705.136990][ T4874] vfs_statx+0xcc/0x1b8
[ 705.141016][ T4874] __arm64_sys_newfstatat+0x94/0x120
[ 705.146169][ T4874] do_el0_svc+0x128/0x1dc
[ 705.150369][ T4874] el0_sync_handler+0xd0/0x268
[ 705.155003][ T4874] el0_sync+0x164/0x180
[ 705.159028][ T4874] ==================================================================
[ 705.166957][ T4874] Disabling lock debugging due to kernel taint
[ 705.173067][ T4874] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 705.182599][ T4874] Mem abort info:
[ 705.186104][ T4874] ESR = 0x96000005
[ 705.189906][ T4874] EC = 0x25: DABT (current EL), IL = 32 bits
[ 705.195928][ T4874] SET = 0, FnV = 0
[ 705.199727][ T4874] EA = 0, S1PTW = 0
[ 705.203578][ T4874] Data abort info:
[ 705.207168][ T4874] ISV = 0, ISS = 0x00000005
[ 705.211749][ T4874] CM = 0, WnR = 0
[ 705.215431][ T4874] user pgtable: 64k pages, 48-bit VAs, pgdp=0000009659f42000
[ 705.222702][ T4874] [0000000000000000] pgd=0000000000000000, pud=0000000000000000
[ 705.230250][ T4874] Internal error: Oops: 96000005 [#1] SMP
[ 705.235824][ T4874] Modules linked in: thunderx2_pmu processor efivarfs ip_tables xfs libcrc32c sd_mod ahci libahci mlx5_core libata dm_mirror dm_region_hash dm_log dm_mod
[ 705.251173][ T4874] CPU: 16 PID: 4874 Comm: plymouthd Tainted: G B L 5.6.0-rc7-next-20200324 #1
[ 705.260999][ T4874] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 705.271438][ T4874] pstate: 60400009 (nZCv daif +PAN -UAO BTYPE=--)
[ 705.277708][ T4874] pc : link_path_walk+0x374/0x53c
[ 705.282587][ T4874] lr : link_path_walk+0x374/0x53c
[ 705.287463][ T4874] sp : b1ff00916cdefa90
[ 705.291473][ T4874] x29: b1ff00916cdefb30 x28: 9cff00098d5eb703
[ 705.297485][ T4874] x27: 0000000000000000 x26: fefefefefefefeff
[ 705.303496][ T4874] x25: 0000000236266748 x24: 2f2f2f2f2f2f2f2f
[ 705.309507][ T4874] x23: b1ff00916cdefba0 x22: b1ff00916cdefbc8
[ 705.315518][ T4874] x21: b1ff00916cdefbe0 x20: b1ff00916cdefbd0
[ 705.321529][ T4874] x19: b1ff00916cdefb98 x18: 0000000000000000
[ 705.327540][ T4874] x17: 0000000000000000 x16: 0000000000000000
[ 705.333550][ T4874] x15: 0000000000000000 x14: 2020202020202020
[ 705.339561][ T4874] x13: 20424d5f45484341 x12: 50415f3130432f20
[ 705.345571][ T4874] x11: 0000000000000003 x10: ffff8008bb246a3e
[ 705.351582][ T4874] x9 : 68bdf6118cf10200 x8 : 0000000000000000
[ 705.357592][ T4874] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000
[ 705.363602][ T4874] x5 : 0000000000000080 x4 : 0000000000000000
[ 705.369612][ T4874] x3 : ffff900010a5a394 x2 : 0000000000000001
[ 705.375622][ T4874] x1 : 0000000000000004 x0 : 0000000000000000
[ 705.381631][ T4874] Call trace:
[ 705.384777][ T4874] link_path_walk+0x374/0x53c
[ 705.389311][ T4874] path_lookupat+0x78/0x1d4
[ 705.393670][ T4874] filename_lookup+0x80/0x124
[ 705.398204][ T4874] user_path_at_empty+0x54/0x68
[ 705.402909][ T4874] vfs_statx+0xcc/0x1b8
[ 705.406921][ T4874] __arm64_sys_newfstatat+0x94/0x120
[ 705.412060][ T4874] do_el0_svc+0x128/0x1dc
[ 705.416247][ T4874] el0_sync_handler+0xd0/0x268
[ 705.420865][ T4874] el0_sync+0x164/0x180
[ 705.424883][ T4874] Code: 97fe39bd f94002fb aa1b03e0 97fe39aa (b9400368)
[ 705.432066][ T4874] ---[ end trace 71f0365c08ac491a ]---
[ 705.437381][ T4874] Kernel panic - not syncing: Fatal exception
[ 705.443608][ T4874] SMP: stopping secondary CPUs
[ 705.448297][ T4874] Kernel Offset: disabled
[ 705.452483][ T4874] CPU features: 0x006002,61000c38
[ 705.457359][ T4874] Memory Limit: none
[ 705.461411][ T4874] ---[ end Kernel panic - not syncing: Fatal exception ]â
[1]
e0e25e9bbed5 lookup_open(): don't bother with fallbacks to lookup+create
b686da54700f atomic_open(): no need to pass struct open_flags anymore
60e1d0b8512f open_last_lookups(): move complete_walk() into do_open()
4d7ed93ff9db open_last_lookups(): lift O_EXCL|O_CREAT handling into do_open()
57e9b028e9e7 open_last_lookups(): don't abuse complete_walk() when all we want is unlazy
c01d40b1c03c open_last_lookups(): consolidate fsnotify_create() calls
c8291f6b0037 take post-lookup part of do_last() out of loop
881386f7e46a link_path_walk(): sample parent's i_uid and i_mode for the last component
0e47dacb7f29 __nd_alloc_stack(): make it return bool
794dc2d56401 reserve_stack(): switch to __nd_alloc_stack()
59089811438c pick_link(): take reserving space on stack into a new helper
8c60edbc56a2 pick_link(): more straightforward handling of allocation failures
4efc770ddf45 fold path_to_nameidata() into its only remaining caller
dcc11116def1 pick_link(): pass it struct path already with normal refcounting rules
0058fcb4c3b5 fs/namei.c: kill follow_mount()
ffa2db4ac3e7 non-RCU analogue of the previous commit
8255cecd93ba helper for mount rootwards traversal
573f88cea0e2 follow_dotdot(): be lazy about changing nd->path
ea63a0dc31fd follow_dotdot_rcu(): be lazy about changing nd->path
5c19a79cd9d3 follow_dotdot{,_rcu}(): massage loops
5e3c3570ec97 lift all calls of step_into() out of follow_dotdot/follow_dotdot_rcu
6dfd9fe54dfd follow_dotdot{,_rcu}(): switch to use of step_into()
7521f22b3ce2 handle_dots(), follow_dotdot{,_rcu}(): preparation to switch to step_into()
957dd41d8842 move handle_dots(), follow_dotdot() and follow_dotdot_rcu() past step_into()
c9a0f75d81e3 follow_dotdot{,_rcu}(): lift LOOKUP_BENEATH checks out of loop
abc2c632e0ce follow_dotdot{,_rcu}(): lift switching nd->path to parent out of loop
a6a7eb7628cf expand path_parent_directory() in its callers
63b27720a476 path_parent_directory(): leave changing path->dentry to callers
6b03f7edf43e path_connected(): pass mount and dentry separately
c981a4828125 split the lookup-related parts of do_last() into a separate helper
973d4b73fbaf do_last(): rejoin the common path even earlier in FMODE_{OPENED,CREATED} case
8795e7d48288 do_last(): simplify the liveness analysis past finish_open_created
5a2d3edd8dad do_last(): rejoing the common path earlier in FMODE_{OPENED,CREATED} case
59e96e65833e do_last(): don't bother with keeping got_write in FMODE_OPENED case
3ad5615a071f do_last(): merge the may_open() calls
7be219b4dcd9 atomic_open(): lift the call of may_open() into do_last()
6fb968cdf9d0 atomic_open(): return the right dentry in FMODE_OPENED case
9deed3ebca24 new helper: traverse_mounts()
ea936aeb3ead massage __follow_mount_rcu() a bit
c108837e06b6 namei: have link_path_walk() maintain LOOKUP_PARENT
d8d4611a4f2d link_path_walk(): simplify stack handling
b1a819724074 pick_link(): check for WALK_TRAILING, not LOOKUP_PARENT
8c4efe22e7c4 namei: invert the meaning of WALK_FOLLOW
b4c0353693d2 sanitize handling of nd->last_type, kill LAST_BIND
ad6cc4c338f4 finally fold get_link() into pick_link()
06708adb99e8 merging pick_link() with get_link(), part 6
b0417d2c7298 merging pick_link() with get_link(), part 5
92d270165cff merging pick_link() with get_link(), part 4
40fcf5a931af merging pick_link() with get_link(), part 3
1ccac622f9da merging pick_link() with get_link(), part 2
43679723d27f merging pick_link() with get_link(), part 1
a9dc1494a782 expand the only remaining call of path_lookup_conditional()
161aff1d93ab LOOKUP_MOUNTPOINT: fold path_mountpointat() into path_lookupat()
cbae4d12eeee fold handle_mounts() into step_into()
aca2903eefd0 new step_into() flag: WALK_NOFOLLOW
56676ec39019 step_into() callers: dismiss the symlink earlier
20e343571cef lookup_fast(): take mount traversal into callers
c153007b7b7a teach handle_mounts() to handle RCU mode
b023e1728bec lookup_fast(): consolidate the RCU success case
db3c9ade50b1 handle_mounts(): pass dentry in, turn path into a pure out argument
e73cabff5917 do_last(): collapse the call of path_to_nameidata()
da5ebf5aa676 lookup_open(): saner calling conventions (return dentry on success)